Security Analysis of Bluetooth v2.1 + EDR Pairing Authentication Protocol. John Jersin Jonathan Wheeler. CS259 Stanford University.

Similar documents
Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

1-7 Attacks on Cryptosystems

Key Agreement Schemes

06/02/ Local & Metropolitan Area Networks. 0. Overview. Terminology ACOE322. Lecture 8 Network Security

(2½ hours) Total Marks: 75

Outline More Security Protocols CS 239 Computer Security February 4, 2004

Authentication Part IV NOTE: Part IV includes all of Part III!

CS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to talk so much?!? Content taken from the following:

CIS 4360 Introduction to Computer Security Fall WITH ANSWERS in bold. First Midterm

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

CSCI 667: Concepts of Computer Security. Lecture 9. Prof. Adwait Nadkarni

Elements of Security

Lecture 19: cryptographic algorithms

Cryptography. Recall from last lecture. [Symmetric] Encryption. How Cryptography Helps. One-time pad. Idea: Computational security

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Cryptographic Checksums

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

ON SECURITY OF BLUETOOTH WIRELESS SYSTEM. Pavel Kucera, Petr Fiedler, Zdenek Bradac, Ondrej Hyncica

Lecture 15: Cryptographic algorithms

CS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to share so many secrets?!?

Symmetric Encryption

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

Feedback Week 4 - Problem Set

Encryption. INST 346, Section 0201 April 3, 2018

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls

S. Erfani, ECE Dept., University of Windsor Network Security

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

Secure Sockets Layer (SSL) / Transport Layer Security (TLS)

Computational Security, Stream and Block Cipher Functions

2.1 Basic Cryptography Concepts

18-642: Cryptography 11/15/ Philip Koopman

Issues. Separation of. Distributed system security. Security services. Security policies. Security mechanism

ECE596C: Handout #9. Authentication Using Shared Secrets. Electrical and Computer Engineering, University of Arizona, Loukas Lazos

Security Handshake Pitfalls

Session key establishment protocols

Outline More Security Protocols CS 239 Computer Security February 6, 2006

CIS 4360 Secure Computer Systems Applied Cryptography

Session key establishment protocols

Authentication Handshakes

CS Computer Networks 1: Authentication

CS-435 spring semester Network Technology & Programming Laboratory. Stefanos Papadakis & Manolis Spanakis

1.264 Lecture 27. Security protocols Symmetric cryptography. Next class: Anderson chapter 10. Exercise due after class

PROTECTING CONVERSATIONS

Crypto meets Web Security: Certificates and SSL/TLS

Cryptography & Key Exchange Protocols. Faculty of Computer Science & Engineering HCMC University of Technology

CSC 474/574 Information Systems Security

Chapter 9: Key Management

Public Key Cryptography

Key Establishment and Authentication Protocols EECE 412

Security Handshake Pitfalls

Spring 2010: CS419 Computer Security

Grenzen der Kryptographie

Computer Communication Networks Network Security

Distributed Systems. Lecture 14: Security. 5 March,

3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some

Summary on Crypto Primitives and Protocols

An Analysis of Fast Handover Key Distribution Using SEND in Mobile IPv6

Nigori: Storing Secrets in the Cloud. Ben Laurie

Wireless Security. Comp Sci 3600 Security. Attacks WEP WPA/WPA2. Authentication Encryption Vulnerabilities

Outline. More Security Protocols CS 239 Security for System Software April 22, Needham-Schroeder Key Exchange

CS 161 Computer Security

Anonymity. Assumption: If we know IP address, we know identity

Real-time protocol. Chapter 16: Real-Time Communication Security

Verteilte Systeme (Distributed Systems)

Proofs for Key Establishment Protocols

BAN Logic. Logic of Authentication 1. BAN Logic. Source. The language of BAN. The language of BAN. Protocol 1 (Needham-Schroeder Shared-Key) [NS78]

From Coulouris, Dollimore and Kindberg Distributed Systems: Concepts and Design. Edition 4 Pearson Education 2005

CSC 8560 Computer Networks: Network Security

Public Key Algorithms

CIS 6930/4930 Computer and Network Security. Topic 6.2 Authentication Protocols

Unit 8 Review. Secure your network! CS144, Stanford University

Security issues: Encryption algorithms. Threats Methods of attack. Secret-key Public-key Hybrid protocols. CS550: Distributed OS.

CSCE 813 Internet Security Symmetric Cryptography

This chapter continues our overview of public-key cryptography systems (PKCSs), and begins with a description of one of the earliest and simplest

Outline Key Management CS 239 Computer Security February 9, 2004

10/1/2015. Authentication. Outline. Authentication. Authentication Mechanisms. Authentication Mechanisms. Authentication Mechanisms

14. Internet Security (J. Kurose)

Introduction to Modern Cryptography. Lecture 2. Symmetric Encryption: Stream & Block Ciphers

Security: Cryptography

Network Security CHAPTER 31. Solutions to Review Questions and Exercises. Review Questions

HY-457 Information Systems Security

1 Achieving IND-CPA security

CRYPTOGRAPHIC ENGINEERING ASSIGNMENT II Theoretical: Design Weaknesses in MIFARE Classic

Implementing Cryptography: Good Theory vs. Bad Practice

Distributed Systems. Lecture 14: Security. Distributed Systems 1

Applied Cryptography and Computer Security CSE 664 Spring 2017

0/41. Alice Who? Authentication Protocols. Andreas Zeller/Stephan Neuhaus. Lehrstuhl Softwaretechnik Universität des Saarlandes, Saarbrücken

Solutions to exam in Cryptography December 17, 2013

SSL/TLS. How to send your credit card number securely over the internet

Analysis of e Multicast/Broadcast group privacy rekeying protocol

CS 332 Computer Networks Security

A Security Evaluation of DNSSEC with NSEC Review

WHITEPAPER. Vulnerability Analysis of Certificate Validation Systems

Network Security and Cryptography. 2 September Marking Scheme

CS 6324: Information Security More Info on Key Establishment: RSA, DH & QKD

Lecture 6: Symmetric Cryptography. CS 5430 February 21, 2018

Computer Networks. Network Security and Ethics. Week 14. College of Information Science and Engineering Ritsumeikan University

Cryptographic Concepts

Transcription:

Security Analysis of Bluetooth v2.1 + EDR Pairing Authentication Protocol John Jersin Jonathan Wheeler CS259 Stanford University March 20, 2008 Version 1

Security Analysis of Bluetooth v2.1 + EDR Pairing Authentication Protocol 2 Table of Contents 1 Abstract... 3 2 Protocol Overview... 3 2.1 Protocol Terminology and Nomenclature... 3 2.2 Protocol Outline... 4 2.3 Protocol Detail 1... 4 2.3.1 Session Setup, Stage 1... 4 2.3.2 Session Setup, Stage 2... 4 2.3.3 Session Setup, Stage 3... 5 3 Murφ Modeling Details... 5 4 Analysis of Found Attacks... 6 4.1 Rollback Attacks... 6 4.1.1 Attack I... 6 4.1.2 Attack II... 6 4.1.3 Fix for Rollback Attacks... 7 4.2 Brute Force Attacks... 7 4.2.1 Attack I... 7 4.2.2 Attack II... 8 4.2.3 Fix for Brute Force Attacks... 8 4.3 Denial of Service Attack... 9 4.3.1 Fix for Denial of Service Attack... 9 5 Conclusion... 9 6 References... 10

Security Analysis of Bluetooth v2.1 + EDR Pairing Authentication Protocol 3 1 Abstract Bluetooth is designed for wireless communication between mobile devices. This paper provides a security analysis of the Bluetooth Version 2.1 + EDR pairing authentication protocol. An overview of how we modeled the security properties of Bluetooth using the Murφ verification tool is provided, followed by our findings and analysis. Three different types of attacks were confirmed: rollback attacks, brute force attacks, and a denial of service attack. 2 Protocol Overview Our focus is on the key generation phase of the Bluetooth protocol. This phase is essentially the session setup phase for a secure exchange of data between two devices. 2.1 Protocol Terminology and Nomenclature PIN K init K link RAND A B BD_ADDR E The pin is a secret passcode that is shared between two devices out of band. Normally a user types in the pin into both devices. If one device has a fixed pin, the user types that same pin into the other device. The initialization key is the first key generated by a pair of devices. It is generated from the shared pin, an address, and a nonce. It is used only until a link key is formed, then not used again. The link key is used for authentication at the end of the key generation phase. If encryption is used, the encryption key is derived from the link key. A random 128-bit nonce. The initiating Bluetooth device. The responding Bluetooth device. The Bluetooth Device Address, used to identify a Bluetooth device. A cryptographic hash function. The complex details of how this function is implemented is not a focus of this study, as we assume the underlying cryptography is secure.

Security Analysis of Bluetooth v2.1 + EDR Pairing Authentication Protocol 4 2.2 Protocol Outline 1. Pin shared out of band. 2. Bluetooth runs session setup to generate keys. 3. Use keys to communicate privately. Our focus is on step two with how Bluetooth runs session setup to generate keys. We assume that the pin sharing out of band is secure (step one). Furthermore, we assume that once the keys are established, the cryptography used to communicate with those keys is also secure (step three). 2.3 Protocol Detail 1 2.3.1 Session Setup, Stage 1 Generate initialization key based on PIN. First, the two Bluetooth devices share a PIN out of band. Again, we assume that this step of the process is secure, although it s possible that there are some issues with this step mainly involving human error and social engineering factors, such as choosing poor passcodes like 0000, among other errors. Second, an initialization key based on the inputted PIN is generated by both devices. Figure 1 A B: IN_RAND K init = E(BD_ADDR B, PIN, IN_RAND) Third, the devices must choose whether they want a combination key or a unit key. 2.3.2 Session Setup, Stage 2 1. If both devices want a combination key, use a combination key: Figure 2 A B: XOR(K init, LK_RAND A ) B A: XOR(K init, LK_RAND B ) K link = E(LK_RAND A, LK_RAND B ) 2. If one device wants a unit key, use a unit key:

Security Analysis of Bluetooth v2.1 + EDR Pairing Authentication Protocol 5 Figure 3 A B: XOR(K init, K_UNIT A ) K link = K_UNIT A Unit key use in Bluetooth v2.1 + EDR is deprecated, but if one device requests the use of a unit key, the other device must rollback to support it. Regardless of the unit key sent, the receiving device must use that unit key. Unit keys are insecure for a device to use, because if device A connects to B using A's unit key, then later A connects to C using A's unit key, B will be able to listen in. This is avoided by deprecating unit keys, no new Bluetooth devices will request use of a unit key. 2.3.3 Session Setup, Stage 3 Authenticate the two devices based on the established link key. Figure 4 A B: RAND A B A: E(K link, BD_ADDR B, RAND A ) B A: RAND B A B: E(K link, BD_ADDR A, RAND B ) This step will fail if both parties do not have the same link key. 3 Murφ Modeling Details We chose to model Bluetooth s security properties using the Murφ Verification System, as it s a good tool for doing nondeterministic finite-state analysis on network handshake security protocols in general. Murφ allows one to specify a set of abstract rules for how the protocol behaves at a high level and what sets of conditions must be satisfied at each state. If a given invariant fails to hold in a particular state, and error is reported with the resulting error trace detailing precisely what steps are necessary to end up in that bad state. As a method of modeling, several natural simplifying assumptions are made. Since we assume that the cryptography itself is secure in this study, no actual encryption takes place in our model within the Murφ verifier. We simply mark a packet as being encrypted, and all responders/initiators/intruders must respect that flag and treat it as such. Furthermore, our model assumed that the intruder has full control of the network. That is, he may intercept, record, block, and generate packets at will. This assumption allows one to find potential man-in-the-middle attacks.

Security Analysis of Bluetooth v2.1 + EDR Pairing Authentication Protocol 6 4 Analysis of Found Attacks Our analysis of the Bluetooth v2.1 + EDR Pairing Authentication Protocol confirmed three different types of attack: rollback attacks, brute force attacks, and a denial of service attack. 4.1 Rollback Attacks Two variations of rollback attacks were found. These are the most serious attacks found. 4.1.1 Attack I The first rollback attack found involves a man-in-the-middle attacker. Both honest devices request use of a combination key, but both receive requests (apparently from their honest partner) to use a unit key. Both parties want a Combination key: Figure 5 A I: XOR(K init, LK_RAND A ) B I: XOR(K init, LK_RAND B ) But both get a unit key in response: Figure 6 I A: XOR(K init, K_UNIT I ) I B: XOR(K init, K_UNIT I ) K link = K_UNIT I This forces both parties to rollback to support the received unit key request, even though both actually sent combination key request to one another. 4.1.2 Attack II The second rollback attack builds on the first type of rollback attack. After setup completes the first time, and the first rollback attack has taken place, the honest parties periodically refresh their link key. The key refresh is done by running the session setup again starting with the link key messages. The intruder blocks these messages and sends messages which force the devices to keep the same key. Intruder sends back all zeros:

Security Analysis of Bluetooth v2.1 + EDR Pairing Authentication Protocol 7 Figure 7 I A: XOR(K link, K link ) = 0000 I B: XOR(K link, K link ) = 0000 K link = K link This is possible because the request is simply a XOR of the old key and the new key. So if the XOR is all zeros, then the old key and the new key will be the same key. 4.1.3 Fix for Rollback Attacks 1. Unit keys are deprecated (starting with Bluetooth v1.2), so it would be best not to maintain backward compatibility. If a unit key request is received, terminate the connection. All modern devices should support combination keys, minimizing the impact. 2. Bluetooth should not chain the new link key with the old one. Instead, the entire session setup should be rerun starting with the first nonce that is used to generate a new initialization key. This guarantees that the new link key will be fresh and will not depend on the old link key. The rollback attacks stem from an attempt to maintain backward compatibility. Our attacks show that backward compatibility come at a cost, however, by implementing our second fix, backward compatibility could have been achieved without our more serious version of the attack. 4.2 Brute Force Attacks Two variations of brute force attacks were found. The question here is: Is it possible for the intruder to obtain a plaintext-ciphertext pair, which can then be used to computationally determine the PIN used? 4.2.1 Attack I The first brute force attack involves an intruder listening to two devices pairing. This is possible because a RAND nonce is sent in the clear and sent back encrypted as shown in Figure 4. This version of the attack is only possible when two devices are initiating a conversation, and the attacker records the messages.

Security Analysis of Bluetooth v2.1 + EDR Pairing Authentication Protocol 8 4.2.2 Attack II Another very similar brute force attack can be done without a pairing of two devices occurring. In this version, an attacker can collect enough data from a device to brute force the PIN without any special circumstances. First, an intruder device initiates a connection with a responder by sending a RAND nonce. The responder will use this nonce and the PIN to generate an initialization key. The attacker can then send a unit key request as shown in Figure 3 (Session Setup, Stage 2). Finally, the attacker can then send another RAND nonce. The responder will then send back the encrypted version of that nonce as shown in Figure 4 (Session Setup, Stage 3). It is important to note that the attacker does not know how the responder will interpret the unit key request, as the attacker does not yet know the initialization key with which it was XORed. The attacker can make repeated guesses as to what the PIN may be and attempt to decrypt the conversation on that premise. If a guess of the PIN results in a conversation for which the encrypted authentication nonce matches the one send in the clear, then the PIN is saved by the attacker. PIN's can be as small as 1 byte, making this attack potentially very dangerous, however, it is only possible because a plaintext ciphertext pair is available. 4.2.3 Fix for Brute Force Attacks The Bluetooth v2.1 + EDR specification states that if an initiating device fails at the authentication step (Session Setup, Stage 3), then the responder device must impose an exponentially increasing delay on the initiator being allowed to attempt to establish a new connection. This effectively blocks online brute force attacks. However, offline attacks, as above, are not only possible, but also entirely more powerful than any online attack. To prevent offline attacks Bluetooth should prevent an attacker from ever seeing a plaintext ciphertext pair. This can be done easily by encrypting the authentication nonces both ways in Figure 4. The responder would then reply with a message such as the nonce plus one. Using this method the attacker cannot verify guesses of the PIN entirely offline; guesses must be verified online, leveraging the built in online exponential backoff defense. The authentication nonces are likely sent in the clear to avoid unnecessary processing cost. However, because PIN's can be as small as 8 bits, it is important to avoid these attacks, as once a PT/CT pair is available, computation of the key becomes trivial, and online attack defenses have no effect.

Security Analysis of Bluetooth v2.1 + EDR Pairing Authentication Protocol 9 4.3 Denial of Service Attack If an attacker sends a series of nonces to a responder, the attacker can force the responder to do 3 cryptography operations for each 2 nonces that it sends, as depicted in Figure 1 and Figure 4. If the exponential back off feature of the responder denies further requests from the attacking device, then the attacking device can simply spoof its originating device address and make more new initiation requests. Furthermore, the Bluetooth v2.1 + EDR specification states that while this Bluetooth processes are executing no preemption may occur. Therefore, no real work can be done while this computation is being performed. This fact allows an attacker to perform a DoS attack on a solo device and stop the device from functioning as normal (e.g. a phone could not make phone calls). 4.3.1 Fix for Denial of Service Attack Some possible fixes for this attack include: 1. Perform authentication after K init is formed between Session Setup, Stage 1 and Session Setup, Stage 2. This is a one-time cost for the lifetime of the two devices, as the initialization key will always be the same between them. This improves the ration of work done in the protocol. 2. Use preemption. Preemption is not allowed in the Bluetooth specification in order to avoid reflection attacks (where a party reflects an authentication nonce back it its sender to get the correct response). However, other sufficient security measures already exist in the Bluetooth specification to prevent reflection attacks. Using preemption shouldn t be a security risk. This attack is dangerous largely because of the preemption issue. This represents a tradeoff between defense against two attacks, a reflection attack and a DoS attack. Because the reflection attack is not possible anyway, we believe that the protocol should have balanced its defenses by mitigating the DoS attack. 5 Conclusion Our work uncovers new vulnerabilities in the Bluetooth protocol. None of these directly compromise the basic security properties of the protocol such as secrecy or authentication. However, the attacks and their corresponding fixes are instructive. The Bluetooth protocol makes repeated tradeoffs between security and other issues such as hardware requirements and backward compatibility. The vulnerabilities shown in this report are all the result of such tradeoffs. By discovering these vulnerabilities and analyzing the tradeoffs that led to them, we feel we have shed light on security in the real world.

Security Analysis of Bluetooth v2.1 + EDR Pairing Authentication Protocol 10 6 References 1 Bluetooth Core Specification Version 2.1 + EDR. 27 July 2007. Bluetooth SIG, Inc. 20 March 2008 <http://www.bluetooth.com/bluetooth/technology/building/specifications/default.htm>.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback